SeLinux integration

SeLinux integration

[Jens Neuhalfen]

Hi,

I  wrote an SeLinux policy and an init.d script  for the git-daemon  
and now seek for comments and improvements.

The scripts were tested on my Centos 5.2 box  and an older version had  
been tested on FC 9.

  Features:
    * multiple configuration files for the init.d script
    * selinux support for git daemon
    * seboolean (git_daemon_update_repository) that forces git-daemon  
into strict read-only mode when set to false

TODO
  * The policy and the accompanying init.d script still lack  
documentation
  * see selinux/BUGS and initd/BUGS

Feel free to pull from my repository and comment. If the everything is  
'good' I will send patches to the list, so that SeLinux support can be  
integrated into the main repository.


  git://www.neuhalfen.name/git-selinux.git


Jens

Re: SeLinux integration

[Christian Jaeger]

Jens Neuhalfen wrote:
> git://www.neuhalfen.name/git-selinux.git

I'm just an end user, too, so this isn't representing any official 
statement, but imho you should clean up your history before you publish 
it (and also, I think it would be a good idea to mention that your git 
repo is really including the upstream git so that people know they 
should use the --reference option to git clone to reuse the contents of 
a local upstream git to avoid pulling everything from your server):

- remove commits that don't make sense like your "XXX" file
- generally look over your history again and rework it so that it makes 
sense for a receiver (which is not necessarily the historic events of 
how you wrote it)
- follow the common commit message format (one line subject, the rest in 
the body and line wrapped)
- probably there's no reason to merge your history with historic events 
of the upstream git, so you should rebase your history onto some point 
of upstream.

You can do this by running

git branch last_upstream 053fd0c1c3da20474c4ff175c56ea4c1d6eeda11
git rebase --interactive last_upstream

(or alternatively (with the advantage that you can open and edit all 
patches at the same time, but the disadvantage that editing diffs is 
more difficult to get right than editing files in snapshots), by first 
creating patch files by running:

git format-patch master...last_upstream

then editing the patch files (and remove those which don't make sense) 
and then switch to the upstream branch and run "git-am --3way 00*patch", 
or replace 00*patch with the patch files in the order you want them 
applied).

Christian.

Re: SeLinux integration

[Jens Neuhalfen]

> Jens Neuhalfen wrote:
> > git://www.neuhalfen.name/git-selinux.git
> 


Hi Christian,

> I'm just an end user, too, so this isn't representing any official 
...

first, thank you for your taking your time! I am relatively new to git (I've been poking git for three or four weeks now), so your advice on how-to (and how-not-to) is much appreciated.

The repository is my current development repository which, naturally (?), is based on the 'blessed' repository. My understanding of git was, that anyone with a copy of the blessed git repository can 'pull' from my repository and gets my branches with git transmitting just my changes over the net. Then he/she/it can switch to 'my' branch and test the policy/init-script.

Did I get something wrong there? I thought that this is a/the normal way of using git. 

You are right with the commits and their rather terse messages, though the code are not ready for release or an integration review. The plan was: Get some feedback on the current state, refine the code and then send the patches to the list. 

Christian, have you been able to test the policy? I am very curious, how it works on other machines (say, gentoo) or with other setups (strict-policy is completely untested, although I don't think that anyone really uses it).

Jens


> Christian.

Re: SeLinux integration

[Christian Jaeger]

Jens Neuhalfen wrote:
> The repository is my current development repository which, naturally (?), is based on the 'blessed' repository. My understanding of git was, that anyone with a copy of the blessed git repository can 'pull' from my repository and gets my branches with git transmitting just my changes over the net. Then he/she/it can switch to 'my' branch and test the policy/init-script.
>
> Did I get something wrong there? I thought that this is a/the normal way of using git. 
>   

Well I'm sure you could use it this way; but check for yourself, if you 
start gitk on your repository, one has to first figure out where to find 
you work, i.e. one has to follow the right parent in your commits to see 
all of them; it's certainly possible but I guess not very inviting for 
people who just want to *look* at your work (as opposed to simply try it 
out). I'll readily admit that I just wanted to look, not try it out. But 
maybe I'm not the only one with this as his/her primary aim.

> You are right with the commits and their rather terse messages, though the code are not ready for release or an integration review. The plan was: Get some feedback on the current state, refine the code and then send the patches to the list. 
>   

Ok, maybe how you're doing it is just fine, I'll leave it to others to 
judge. But still you should be aware that it's common practice with Git 
to first clean up private history before publishing it. The history can 
explain the code much better than is possible by just looking at the 
latest committed version, and since with Git it is possible to rework 
the history as long at it is private, people frequently do it, so that 
the readers can get most out of it. (This is more akin to patch sets, 
where each patch does a certain thing -- versus work steps, which 
documents how you created the changes. The latter documentation is 
really only of interest for you, for others it's the intended changes 
which matter. So you could "git branch my_selinux_prepublish_1" to keep 
the latter history in case you want to look at it again later, then do 
the history cleanup as I've suggested and publish that instead. And 
continue to work on that reworked branch, actually.)

> Christian, have you been able to test the policy? I am very curious, how it works on other machines (say, gentoo) or with other setups (strict-policy is completely untested, although I don't think that anyone really uses it).

I don't have any SELinux setup here. I'm playing with the thought of 
looking into it, that's why the subject of your mail has catched my 
attention.

Thanks,
Christian.

Re: SeLinux integration

[Björn Steinbrink]

On 2008.08.18 14:47:13 +0200, Christian Jaeger wrote:
> Jens Neuhalfen wrote:
>> The repository is my current development repository which, naturally
>> (?), is based on the 'blessed' repository. My understanding of git
>> was, that anyone with a copy of the blessed git repository can 'pull'
>> from my repository and gets my branches with git transmitting just my
>> changes over the net. Then he/she/it can switch to 'my' branch and
>> test the policy/init-script.
>>
>> Did I get something wrong there? I thought that this is a/the normal 
>> way of using git.   
>
> Well I'm sure you could use it this way; but check for yourself, if you  
> start gitk on your repository, one has to first figure out where to find  
> you work, i.e. one has to follow the right parent in your commits to see  
> all of them; it's certainly possible but I guess not very inviting for  
> people who just want to *look* at your work (as opposed to simply try it  
> out). I'll readily admit that I just wanted to look, not try it out. But  
> maybe I'm not the only one with this as his/her primary aim.

Well, instead of using --reference, I would just add a "selinux" remote
to my existing git.git repo, fetch the stuff and then:

gitk origin/master..selinux/master

It's still not "pretty", but quite usable. And as far as I'm concerned,
it's kinda obvious that the git-selinux repo is based on the git.git
repo, so I wouldn't say that you're required to mention that explicitly.

Björn

Re: SeLinux integration

[Petr Baudis]

  Hi,

On Sun, Aug 17, 2008 at 12:44:22PM +0200, Jens Neuhalfen wrote:
>  git://www.neuhalfen.name/git-selinux.git

  for the mildly curious ones, your friendly gitweb provider service
offers

	http://repo.or.cz/w/git/selinux.git

				Petr "Pasky" Baudis

Re: SeLinux integration

[David P. Quigley]

On Sun, 2008-08-17 at 12:44 +0200, Jens Neuhalfen wrote:
> Hi,
> 
> I  wrote an SeLinux policy and an init.d script  for the git-daemon  
> and now seek for comments and improvements.
> 
> The scripts were tested on my Centos 5.2 box  and an older version had  
> been tested on FC 9.
> 
>   Features:
>     * multiple configuration files for the init.d script
>     * selinux support for git daemon
>     * seboolean (git_daemon_update_repository) that forces git-daemon  
> into strict read-only mode when set to false
> 
> TODO
>   * The policy and the accompanying init.d script still lack  
> documentation
>   * see selinux/BUGS and initd/BUGS
> 
> Feel free to pull from my repository and comment. If the everything is  
> 'good' I will send patches to the list, so that SeLinux support can be  
> integrated into the main repository.
> 
> 
>   git://www.neuhalfen.name/git-selinux.git
> 
> 
> Jens
> 
> --
> To unsubscribe from this list: send the line "unsubscribe git" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Hello,
   It is great to see people other than the core policy developers
working on SELinux policy. One thing I would suggest is to post your
policy to the new reference policy mailing list for SELinux. This way
people such as Chris PeBenito and Dan Walsh can look over it and give
suggestions as well. You can find the list at the link below [1]. 

[1]http://oss.tresys.com/mailman/listinfo/refpolicy

Dave